Removable storage device handling

USB connections on managed devices are restricted by a service called the Ivanti Endpoint Security service. When a new volume is mounted, the service receives notification from the operating system. The service then uses the GetDriveType() API call to check the type of drive that was mounted. If the OS describes the drive as "removable" or "fixed drive", the service will take action. The service also checks for removable volumes at boot time. If an unauthorized volume is found at boot time, the same actions are taken as when the volume is mounted later.

Drives that are considered removable include (but are not limited to) USB storage devices. CD drives (read-only or read/write) are not considered removable storage.

The OS doesn't consider hard drives as removable. The GetDriveType() call describes them as "fixed drive" even if they are attached via USB or some other external port. To allow removable hard drives to be handled the same as other removable storage devices, the service records the list of hard drives at the time the service is installed. For example, if a device has two hard drives (C: and D:) at the time the service is installed, the service will consider those drives as fixed and will not check them. But if at some later time a hard drive with drive letter E: is found, the service will consider it a removable device.